EXECUTIVE SUMMARY:
LofyStealer is a modular infostealer that targets young users by disguising itself as a Minecraft hack called “Slinky”. It uses the official game icon to induce voluntary execution, exploiting the trust of users in the gaming scene. The threat operates in two stages: a 53.5 MB loader based on Node.js packaged via pkg, and a native C++ payload of 1.4 MB that is decrypted in memory and injected directly into the victim’s browser processes via direct syscalls to the Windows kernel. The loader’s large size and thousands of legitimate libraries aim to “dilute” malicious signatures and bypass sandbox upload limits.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
LofyStealer is a modular infostealer that targets young users by disguising itself as a Minecraft hack called “Slinky”. It uses the official game icon to induce voluntary execution, exploiting the trust of users in the gaming scene. The threat operates in two stages: a 53.5 MB loader based on Node.js packaged via pkg, and a native C++ payload of 1.4 MB that is decrypted in memory and injected directly into the victim’s browser processes via direct syscalls to the Windows kernel. The loader’s large size and thousands of legitimate libraries aim to “dilute” malicious signatures and bypass sandbox upload limits.[emaillocker id="1283"]
The malware is a highly comprehensive infostealer, targeting 5 data categories across 8 different browsers. It can steal browser cookies, browsing history, saved passwords, autofill data, and credit card numbers. The malware is designed to evade detection by using a two-stage modular structure and by injecting the payload directly into memory. This makes it difficult for traditional security software to detect and remove the malware. The malware also uses WebSocket communication to communicate with its command and control (C2) server, which is hosted on a specific IP address. The C2 server is used to receive stolen data and to receive commands from the attackers. The malware is designed to be highly customizable, allowing the attackers to steal specific types of data and to use specific communication protocols.
The separation between the loader and the payload makes it difficult to analyze the malware without dynamic analysis. Dynamic analysis would be necessary to confirm behaviors such as the exact symmetric encryption algorithm used in payload decryption, possible persistence mechanisms not identified by static analysis, and specific WebSocket fallback behavior. The malware is a significant threat to users of Minecraft and other browsers, and users should be cautious when downloading and executing files from untrusted sources.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Credential access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Collection | B0028 | Cryptocurrency |
| Anti-Behavioral Analysis | F0001 | Software Packing |
| Anti-Static Analysis | B0012 | Disassembler Evasion |
| Command and Control | B0030 | C2 Communication |
| Execution | E1204 | User Execution |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html
https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/